Hackers used ASUS update software to add back doors to PCs worldwide

[The AchieVer]

Hackers used ASUS update software to add back doors to PCs worldwide

Thought the attack appears to have targeted a list of 600 machines, the associated malware made its way to an estimated one million people, according to Kaspersky Labs.

 

ASUS's Live Update utility was compromised by hackers to install malware on PCs, according to a new report from security firm (via Motherboard). The attack, which has been given the name "ShadowHammer," created a back door in the update software, allowing hackers to install malware on machines that had downloaded the compromised utility.

According to Kaspersky Labs, the attack targeted around 600 systems, with the devices' MAC addresses being hardcoded into the malware. That said, Kaspersky has identified 57,000 of its own customers have installed the compromised ASUS Live Update utility, and the full breadth of people that have downloaded it could be upwards of one million, according to the firm's estimates.

 

"The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time," Kaspersky Labs said in a blog post. "The criminals even made sure the file size of the malicious utility stayed the same as that of the original one."

 

If installed on one of the pesently identified 600 target machines, the back door is then used to install malware on the affected device. If a machine is not among the targets, it simply does nothing, but the back door remains, potentially allowing attackers to compromise PCs further.

 

Kaspersky Labs says that it has found the same techniques were used "against software from three other vendors." The firm says that it has notified ASUS and the other unnamed companies about the attack, but investigations are still ongoing.

Symantec also confirmed the attack to Motherboard, noting that it identified 13,000 of its own customers who had been affected.

 

ASUS Live Update is used by the company to ensure users receive BIOS and driver updates, among other things. Though ASUS was alerted of the compromised software in January, a Kaspersky employee who met with ASUS in February told Motherboard that the company has been "largely unresponsive since then and has not notified ASUS customers about the issue."

 

 

 

 

Source

[straycat19]

Live update, auto update, etc are worthless programs that cause more problems than they solve and are the sign of a lazy computer user.  I much prefer to download updates manually and therefore I don't use any update programs and block them when they are part of an installed program.  The old adage of "if it isn't broke don't fix it" was never more true than with computers.  Take this computer I am typing on now.  It is 10 years old.  The newest driver was released by  the motherboard manufacturer 9 years ago and those are the drivers it has been using ever since.  Why? Because they work, the system is stable.  I use Nvidia graphics cards but not GeForce Experience, which auto updates the drivers.  I prefer to wait a month or so before updating a driver, just to make sure that it doesn't result in a ton of problems for others.  And then I manually download and install it.  

 

I learned years ago, the hard way, that driver update programs cause more problems than they could possibly solve since recent drivers do not necessarily support older hardware.  The same applies to all the various programs that claim to fix your PC, fix your registry, and so on.  Just trash programs that no one needs that actually fix nothing, though they claim they do.  Tests by reputable computer gurus have proven that to be a fact.

[The AchieVer]

ASUS releases fix for Live Update tool abused in ShadowHammer attack

ASUS releases Live Update 3.6.8. Also says that "a very small" number of users were impacted.

 

 

Logo: ASUS // Composition: ZDNet

ASUS released today a new version of the Live Update tool that contains fixes for vulnerabilities that were exploited by a nation-state group to deploy the ShadowHammer backdoor on up to one million Windows PCs.

 

ASUS Live Update version 3.6.8 contains the aforementioned fixes, the hardware vendor announced in a press release today.

 

The company said ASUS Live Update v3.6.8 "introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism."

 

ASUS also said it updated and strengthened its "server-to-end-user software architecture to prevent similar attacks from happening in the future."

ASUS: ONLY NOTEBOOK USERS WERE TARGETED

The company's statement comes after tech news site Motherboard revealed yesterday that a group of nation-state hackers compromised ASUS' Live Update infrastructure and delivered a backdoored version of the ASUS Live Update tool.

 

Initial assessments by Kaspersky Lab and Symantec estimated the number of infected users ranging between 500,000 and 1,000,000 users.

 

However, in its press release today, ASUS downplayed this estimate and said that just "a small number of devices have been implanted with malicious code."

 

The company said that only the Live Update tool used with notebooks had been backdoored, and not all instances of its app --used as a firmware update utility on millions of devices across the world.

 

ASUS was unable to put a solid figure on the number of impacted users, despite having direct access to its own server logs and knowing of the hack for roughly two months.

MANY QUESTIONS REMAIN UNANSWERED

The ShadowHammer operation, as Kaspersky is calling it, infected hundreds of thousands of users, but the ShadowHammer malware hidden inside the Live Update tool didn't infect users with additional payloads unless their device had a specific MAC address.

Kaspersky said the backdoored Live Update versions they collected featured more than 600 unique MAC addresses on which the ShadowHammer malware would launch further attacks.

 

ASUS is now using this very advanced target selection mechanism as an excuse to downplay the incident's severity, completely ignoring that a hacker group had direct access to its software update servers in the process.

 

The company released Live Update 3.6.8, but it is unclear if updating to this version removes all traces of the older backdoored Live Update version.

Many other questions also remain unanswered. For example, how can a regular ASUS customer tell if they automatically received the backdoored version of the Live Update version or not? It's very likely that most users weren't in the scope of the ShadowHammer group, but do all ASUS users who received a backdoored version of the Live Update app need to wipe and reinstall systems to be fully safe, or updating to v3.6.8 is enough?

 

ASUS said its customer service has been reaching out to affected users and providing assistance, but the company has not offered any useful information otherwise.

 

In fact, the company's press release is somewhat disrespectful to both Kaspersky and its customerbase.

 

Instead of thanking the Russian antivirus vendor for discovering this security breach, ASUS linked to a web page on the website of one of Kaspersky's competitors, a page which contains generic information about nation-state hacking groups. ASUS customers who click this link will not receive any useful information about the ShadowHammer attack, and will be even more confused as to how this relates to the ShadowHammer attack, which isn't even mentioned on that page.

ASUS TRIED TO SILENCE KASPERSKY

Kaspersky said the group behind this attack --believed to be Chinese hackers-- ceased all activity on ASUS' servers in November 2018, when they moved on to other operations.

 

The Russian company discovered the ASUS Live Update compromise in January, reached out to ASUS which failed to address the hack for nearly two months before the incident blew over in the press yesterday.

 

Furthermore, according to a tweet from the reporter who broke the story yesterday, ASUS had also tried to have Kaspersky sign a non-disclosure agreement (NDA) in an attempt to keep the incident quiet.

 

 

Instead of working with Kaspersky to address this incident in a coordinated matter and provide all the information users needed, ASUS tried to bury the story, and it backfired spectacularly.

Practices like these and ASUS' ignorance of any security-related issues is why the US Federal Trade Commission placed the company under mandatory security audits for the next 20 yearsback in 2016.

 

That decision was in regards to the company's home router division, but it appears ASUS' PC division is in the same melting pot of bad security practices.

For now, until ASUS releases more detailed information, ASUS customers can update to Live Update 3.6.8.

 

They can also use apps provided by ASUS and Kaspersky that check if their device's MAC address was on the list of 600 MACs the ShadowHammer operation targeted. A web-based version of this app is also available on the Kaspersky website.

 

 

 

 

 

Source

[zoran]

How to Check if ASUS ShadowHammer Hack Affected Your Device

ZDNet reported recently that ASUS computers running Windows 10 were targeted by APT (advanced persistent threat) attacks being called Operation ShadowHammer. These APT attacks are known to leverage a less known vulnerability and keep using it for a long time. According to ASUS, these APT attacks are initiated by a couple of rogue countries. In this case, these APT attacks abused some vulnerabilities present in an older version of ASUS Update Tool that comes installed on ASUS computers. ASUS has already released an update to the Live Update tool.

If you want to know whether you were affected by the ASUS ShadowHammer hack, then there are two tools available – one is released by Russian security giant Kaspersky and the second is by ASUS.

1. Check Using Kaspersky ShadowHammer Check Tool

1. Press Win+R, type cmd and press Enter to open command prompt. Alternatively, you can press Win+X and then select Command Prompt from the menu.
2. In the command prompt, type ipconfig /all and press Enter. Note down the Physical Address (also known as the MAC address) for all the adaptors that have a network connection (for which “Media disconnected” is not being displayed).
3. Visit https://shadowhammer.kaspersky.com/ in your web browser. Copy-paste or type in the “Physical Address” you noted down in the second step and click on Check Now button.
4. In a few seconds, it will display the results and show you if you were affected by the ShadowHammer hacking attack or not. If you were affected, then you should restore Windows back to factory settings or contact ASUS for further help.

2. Check Using ASUS Diagnostic Tool

1. Visit https://www.asus.com/News/hqfgVUyZ6uyAyJe1 and download the ASUS Diagnostic Tool. You can also get the version 1.0.10 of the tool through the direct link – https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v1.0.1.0.zip
2. Extract the contents of ZIP file to a folder and double-click on the ASDT.EXE file.
3. In a few seconds, it will display whether your computer was affected or not.

[DKT27]

It's quite concerning this. They are one of the best motherboard companies, should have taken more care of security I think.